Hunting ATT&CKs: A Framework for Success

Friday, February 15, 2019

Threat Hunting. MITRE ATT&CK. These words have been thrown around, mashed together, and forced upon the cyber security world en masse lately. There is no shortage of blogs on each, or on the combination of both – trying to explain them, define them, or show how they matter to every organization. This blog will be a bit of the same, but I really want it to bring something different to the discussion as well.

Threat Hunting isn’t new and I’m not going to define it, redefine it, or tell you what it is and what it isn’t. Many very smart people have done this already, and in such minute detail that I would merely be paraphrasing their work. For those readers unfamiliar with the concept of threat hunting, check out one of our recent blog articles here or research the following folks and their writings on the topic:

Robert M Lee

David J Bianco

Richard Bejtlich

Kris Merritt

MITRE ATT&CK is also not a new concept - introduced in 2013 it has grown and evolved a lot since then. ATT&CK is now front and center as a common framework for organizations.

While I won’t explain or discuss the framework here, I do highly recommend you read works published by MITRE directly as it is their framework.1 Instead, what I want to do is introduce you to why we use ATT&CK as the framework within our threat hunting strategy.

First, having a framework is a critical component for successful hunting. It provides clarity and scope to the hunting exercise which assists in limiting the potential rabbit trails hunters are oft prone to follow. It also helps define necessary data sources, tools, and even expected outcomes.

When we start our hunting exercises, we first pick an adversary Tactic where we want to focus. Lateral movement2 is a great place to start, because the likelihood of an adversary landing on the machine hosting their targeted data is extremely slim. This means that they must move across the environment, often through multiple endpoints, until they reach their goal. With this knowledge in mind, we have a high degree of confidence that if malicious activity has occurred in our network, we will see evidence of lateral movement.

Within the Lateral Movement Tactic, we have several Techniques to hunt. If we have intelligence from recent campaigns provided by our Threat Research Team we will start with the techniques leveraged during those campaigns. If not, we will hypothesize which techniques are most likely to be seen in our customers’ environments based upon our knowledge and experience thus far.

It is best, especially when starting out, to limit your hunt to one or two techniques. This is even more relevant when we look at the data sources needed to uncover this type of activity. Once we've settled on the technique(s), we identify the data sources required to hunt for them within our environment. Lateral movement is where “hands on keyboard” activity occurs, and we can hunt through endpoint behaviors to identify where the adversary is, or has been, conducting operations.

For many of the techniques inside of lateral movement, endpoint data is going to provide us that necessary visibility and granularity. We can search for usage of built-in operating system administrative tools, as adversaries prefer to hide their activity within the noise of IT operations. - this is often called “living off the land”.

Examples of living off the land include usage of Windows command line tools such as net and psexec to conduct technique T1077 “Windows Admin Shares.” 3

To conclude our hunt exercise, we analyze the results to determine if we discovered any malicious activity. Not every hunt will uncover the next APT, and this is perfectly acceptable.

Usually we are left with ancillary benefits from our hunt that can be just as important to our security posture. Did we see signs of risky user behavior, or activity in direct violation of policy? Did we identify visibility gaps in our detection and monitoring systems that must be addressed for the next hunt to be successful?

Maybe we didn’t uncover usage of a specific technique, but we now know how to automate hunting for this technique in the future. Whatever the outcome, there should always be lessons learned to carry over into future hunts or other security operations.

So why talk through this at such a high level? You may be telling yourself “Great, another abstract, conceptual blog that tells me little to nothing about real world implementation” - and you are correct. This blog is an introduction to a series that will continue through the foreseeable future.

As part of Fidelis’ MDR service, we conduct hunting exercises just like this for our customers within their environments. As you saw in the previous paragraph, sometimes these hunts will return malicious activity and sometimes they only result in lessons learned.

Either way, we will be sharing the actions and results of our hunting in an anonymized fashion, with the intent that you will be able to follow our methodology and hunt in your own environments.

1. Strom, B. (2018, July 24). The Philosophy of ATT&CK. Retrieved February 10, 2019, from https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/the-philosophy-of-attck